How does one review your site's logs for suspicious activity?

Forum Moderators: DixonJones

Message Too Old, No Replies

How does one review your site's logs for suspicious activity?

what am I looking for?

expat123

5:02 am on May 14, 2005 (gmt 0)

My site is receiving an unusual increase in clicks in the last few days and my CTR has increased about %35 above a fairly consistent average.

I recently started to re-send a daily newsletter to my sites subscribers over about a 3 month lapse so I think that might explain the increase. I also added another ad-unit to my pages.

In anycase, I notified Google adsense about the increase in activity because it is unusual.

They told me that they recommend I review my site's logs for any suspicious activity and notify them of my findings.

How do I review my logs with an eye towards finding suspicious activity (is there a utility I could use)?

FakeOutdoorsman

8:45 pm on May 16, 2005 (gmt 0)

Log into your site via SFTP or FTP and search around for your log files. For example, mine are located here:

/www/example.com/logs

On my logs, some suspicious activity looks like this:


[Sun May 15 20:43:07 2005] [error] [client 210.105.204.13] script not found or unable to stat: /usr/local/apache2/cgi-bin/FormMail.pl, referer: http://www.example.com/cgi-bin/FormMail.pl
[Sun May 15 20:43:25 2005] [error] [client 193.171.32.4] script not found or unable to stat: /usr/local/apache2/cgi-bin/formmail.cgi, referer: http://www.example.com/cgi-bin/formmail.cgi
[Sun May 15 20:43:31 2005] [error] [client 71.128.40.225] script not found or unable to stat: /usr/local/apache2/cgi-bin/BFormMail.pl, referer: http://www.example.com/cgi-bin/BFormMail.pl
[Sun May 15 20:43:31 2005] [error] [client 66.208.250.39] script not found or unable to stat: /usr/local/apache2/cgi-bin/formmail.cgi, referer: http://www.example.com/cgi-bin/formmail.cgi
[Sun May 15 20:43:35 2005] [error] [client 24.184.140.233] script not found or unable to stat: /usr/local/apache2/cgi-bin/formmail.pl, referer: http://www.example.com/cgi-bin/formmail.pl
[Mon May 16 04:04:58 2005] [error] [client 194.170.32.251] script not found or unable to stat: /usr/local/apache2/cgi-bin/FormMail.pl, referer: http://www.example.com/cgi-bin/FormMail.pl

What is happening here is that some zombie spam bots are looking to an e-mailing script to exploit.

Check the times to see how fast something is being accessed. Besides from the file name, it is what tells me that it isn't a real person.

Your access logs can help you with the errors. Listed above is visitor IP 194.170.32.251. I then search that in my access logs to see what else they are accessing.

chris3ds

1:46 am on May 19, 2005 (gmt 0)

Hello

There are several web stats services able to track the exit clicks or Adsense exit clicks.

I can't post the URL because the TOS but you may search on google "Google Adsense tracking clicks"

Chris

Dijkgraaf

5:39 am on May 31, 2005 (gmt 0)

Look for entries in your logs which have status of 400 and above. These are usually quite informative and quite often lets you spot bad bots (although even the best of bots will get a 404 error every so often).

Look at the refer entires in your log, if you are seeing a lot of refers that would probably not have links to you (e.g. a lot of URL's with the word poker or casino) then you are observing LogSpam.

Look for a lot on entries in a small time span, this could be some bad bot scanning your site.

nmattheij

8:30 am on Jun 1, 2005 (gmt 0)

I created specific reports for tracking suspicious traffic.

Looking for status 400 and above is a good idea. Most of the time 'hackers' try to access all kinds admin scripts and a LOT of cmd.exe in all possible directories.